Managing Active Directory with Policies
Many Group Policy settings detailed in the previous sections of this tutorial for computer and user management apply only to domain environments. Group Policy can and is also used to manage security and configuration settings within Active Directory. Many settings apply to server role configurations to standardize security and configurations, but one main configuration of the Active Directory domain group policies is to set the password policy for all the users in the domain. To configure the values for the domain password policy settings, the default domain policy needs to be edited. The password policy settings are contained in the Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy settings node.
When administrators review or need to update the domain password policy, an account lockout policy should also be defined. The account lockout policy determines how many failed password attempts will be tolerated before a user account is locked, and whether the account will be automatically unlocked. The following list contains the three account lockout settings:
- Account Lockout Duration-This setting defines how many minutes an account will remain locked out before it is automatically unlocked by the system.
- Account Lockout Threshold-This setting defines the number of failed logon attempts that will be allowed before the user account is locked out.
- Reset Account Lockout Counter After-This setting defines the number of minutes before the bad logon count is returned to zero.
Fine-Grained Password Policies
New for Windows Server 2008 and also included with Windows Server 2008 R2 domains is a feature called fine-grained password policies. This feature is only available in domains operating in Windows Server 2008 or later domain functional level. A fine-grained password policy is a password policy that can be defined and applied to a single user or a set of users. This can be a very valuable feature for organizations that require interoperability with legacy systems or applications that require service accounts that cannot adhere to the standard domain password policy. Fine-grained password policies are stored in the domain Password Settings Container and are defined as Password Settings Objects. To create a new Password Settings Object, perform the following steps:
- Log on to a designated Windows Server 2008 R2 administrative server.
- Click Start, click in the Search pane, type in MMC, and press Enter.
- When the Microsoft Management Console opens, click the File menu and select Add/Remove Snap-In.
- In the Add/Remove Snap-In window, in the Available Snap-Ins list, locate and double-click on ADSI Edit to add it to the Selected Snap-Ins list. Click OK to close the Add/Remove Snap-In window. If the ADSI Edit snap-in is not listed, install the Remote Server Administration Tools from the Add Features option in Server Manager, and then repeat this step again.
- Back in the MMC, in the tree pane, right-click the ADSI Edit node and select Connect To.
- When the window opens to select a naming context, the default naming context will be the default selection; do not make any changes and click OK.
- In the tree pane, expand the default naming context to reveal the domain naming context; in this example, it is named dc=companyabc,dc=com.
- Expand the domain naming context to reveal the CN=System node. Expand the System node to reveal the Password Settings Container.
- Right-click the Password Settings Container and select New Object.
- When the Create Object window opens, select the msDS-PasswordSettings object class, and click Next.
- On the Common-Name page, type in Fine-GrainedPSO and click Next.
- On the Password Setting Precedence page, type in 5 and click Next.
- On the msDS-PasswordReversibleEncryptionEnabled page, set the value to False and click Next.
- On the msDS-PasswordHistoryLength page, set the value to 5 and click Next.
- On the msDS-PasswordComplexityEnabled page, set the value to False and click Next.
- On the msDS-MinimumPasswordLength page, set the value to 6 and click Next.
- On the msDS-MinimumPasswordAge page, set the value to -864000000000 and click Next. This is the equivalent of 1 day and the negative symbol must be added.
- On the msDS-MaximumPasswordAge page, set the value to -77760000000000 and click Next. This is the equivalent of 90 days.
- On the msDS-LockoutThreshold page, set the value to 0 and click Next. Setting this value to zero keeps the account unlocked.
- On the msDS-LockoutObservationWindow page, set the value to -9000000000 and click Next. This is the equivalent of 15 minutes.
- On the msDS-LockoutDuration page, set the value to -9000000000 and click Next. This is the equivalent of 15 minutes.
- On the final page, click Finish to create the Password Settings Object (PSO).
- After the PSO is created, select the Password Settings Container in the tree pane. In the Settings pane, right-click the new Fine-GrainedPSO object, and select Properties.
- When the Fine-GrainedPSO opens, click the Filter button and check the Show Only Attributes That Have Values check box.
- Review the configured settings and click OK when finished.
Now that a new fine-grained password policy is created, the Fine-GrainedPSO, the policy can be applied to specific user accounts. To apply this PSO to a user account, perform the following steps:
- Open the properties of the Fine-GrainedPSO. If necessary, click the Filter button and uncheck the Show Only Attributes That Have Values check box.
- Scroll down and locate the msDS-PSOAppliesTo attribute and double-click it to open the property pages.
- Click on the Add Windows Account button to locate users using the Select Users, Computers or Groups window.
- In the Select Users, Computers or Groups window, type in the name of a user and click OK.
- If the user is located, the logon and distinguished name of the user is added to the msDS-PSOAppliesTo window. Click OK. Repeat the process to add additional users if required.
- Click OK again to close the Fine-GrainedPSO and close the ADSI Edit snap-in.
- Log on to a workstation or server with a user account added to the policy and change the password to verify that the Fine-GrainedPSO has been applied properly.
Even though fine-grained password policies should only be used if necessary and sparingly, after administrators know about it, many accounts will suddenly need to be added to a PSO that is less restrictive than the domain password policy. To audit the users to whom PSOs apply, the PSOs in the Password Settings Container should be reviewed regularly.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations